Re: [dns-operations] Why did .KE go insecure? ns36.cdns.net
On Fri, Sep 23, 2022 at 07:48:50PM +0200, Bill Woodcock wrote: > > On Sep 23, 2022, at 7:27 PM, Jacques Latour wrote: > > Just looking quickly, if you look back in dnsviz on Sept 15, I think a KSK > > roll over didn't go as plan... > > That was not the root cause. I’m sure they’ll discuss it when they’re ready > to. I concur. There were no observed DNSSEC issues, such as a problem rollover, ... The DS records were withdrawn cleanly, with the RRSIGs still in place long enough to not cause any issues. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Why did .KE go insecure? ns36.cdns.net
> On Sep 23, 2022, at 7:27 PM, Jacques Latour wrote: > Just looking quickly, if you look back in dnsviz on Sept 15, I think a KSK > roll over didn't go as plan... That was not the root cause. I’m sure they’ll discuss it when they’re ready to. -Bill signature.asc Description: Message signed with OpenPGP ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Why did .KE go insecure? ns36.cdns.net
Just looking quickly, if you look back in dnsviz on Sept 15, I think a KSK roll over didn't go as plan... https://dnsviz.net/d/ke/YyK2rw/dnssec/ Now, here's a nice feature, a play button that shows a step by step of key roll over. -Original Message- From: dns-operations On Behalf Of Bill Woodcock Sent: September 23, 2022 12:45 PM To: Jan-Piet Mens Cc: dns-operations@lists.dns-oarc.net Subject: [EXT] Re: [dns-operations] Why did .KE go insecure? ns36.cdns.net [Some people who received this message don't often get email from wo...@pch.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > On Sep 23, 2022, at 6:09 PM, Jan-Piet Mens via dns-operations > wrote: > > > From: Jan-Piet Mens > Subject: Why did .KE go insecure? ns36.cdns.net > Date: September 23, 2022 at 6:09:04 PM GMT+2 > To: dns-operations@lists.dns-oarc.net > > > Out of curiousity, does anybody know why .KE went insecure just after > 2022-09-15 18:37Z [1]? They appear to have removed all DNSSEC related data > meanwhile [2]. Yes. I imagine they’ll make an announcement at some point. It wasn’t to do with a failure of DNSSEC systems. -Bill ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Why did .KE go insecure? ns36.cdns.net
> On Sep 23, 2022, at 6:09 PM, Jan-Piet Mens via dns-operations > wrote: > > > From: Jan-Piet Mens > Subject: Why did .KE go insecure? ns36.cdns.net > Date: September 23, 2022 at 6:09:04 PM GMT+2 > To: dns-operations@lists.dns-oarc.net > > > Out of curiousity, does anybody know why .KE went insecure just after > 2022-09-15 18:37Z [1]? They appear to have removed all DNSSEC related data > meanwhile [2]. Yes. I imagine they’ll make an announcement at some point. It wasn’t to do with a failure of DNSSEC systems. -Bill signature.asc Description: Message signed with OpenPGP ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Why did .KE go insecure? ns36.cdns.net
--- Begin Message --- Out of curiousity, does anybody know why .KE went insecure just after 2022-09-15 18:37Z [1]? They appear to have removed all DNSSEC related data meanwhile [2]. -JP [1] https://dnsviz.net/d/ke/YyNw8w/dnssec/ [2] https://dnsviz.net/d/ke/Yy3YYw/dnssec/ --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net
On Thu, Sep 22, 2022 at 02:12:43PM +, BS Domain Technical Contact wrote a message of 64 lines which said: > Please provide an update regarding the same. Thanks. Which update? Nothing changed. % dig @ns36.cdns.net com.bs ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @ns36.cdns.net com.bs ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46699 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;com.bs.IN A ;; AUTHORITY SECTION: bs. 9000 IN SOA dns.nic.bs. bsadmin.cob.edu.bs. ( 2022092000 ; serial 3600 ; refresh (1 hour) 900; retry (15 minutes) 1814400; expire (3 weeks) 9000 ; minimum (2 hours 30 minutes) ) ;; Query time: 12 msec ;; SERVER: 2001:678:4::24#53(ns36.cdns.net) (UDP) ;; WHEN: Fri Sep 23 09:27:04 CEST 2022 ;; MSG SIZE rcvd: 101 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net
--- Begin Message --- On 22/09/2022 16.12, BS Domain Technical Contact wrote: Please provide an update regarding the same. Thanks. I'm still getting NXDOMAIN. It's fairly easy for anyone to check by running e.g. dig @ns36.cdns.net com.bs. --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net
Good morning, Please provide an update regarding the same. Thanks. Rudyard Burton Office of Information Technology University of The Bahamas Phone: 242-302-4528 Email: rudyard.bur...@ub.edu.bs -Original Message- From: Viktor Dukhovni Sent: Tuesday, September 20, 2022 8:34 PM To: dns-operati...@dns-oarc.net Cc: BS Domain Technical Contact ; BS Domain Administrator Subject: ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net The .COM.BS is an empty non-terminal with various child domains registered beneath. The "ns36.cdns.net" nameserver for .BS responds with NXDOMAIN to "com.bs" qname-minimised queries. This in turn can and does sometimes lead to NXDOMAIN inference for the child domains. This nameserver needs to be withdrawn and fixed before it is returned to service. 2001:678:4::24ns36.cdns.net 194.0.1.36ns36.cdns.net Example responses: @194.0.1.36 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3297 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;com.bs.IN SOA ;; AUTHORITY SECTION: bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 3600 900 1814400 9000 @2001:678:4::24 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39616 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;com.bs.IN SOA ;; AUTHORITY SECTION: bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 3600 900 1814400 9000 -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations